Success Probability of Multiple/Multidimensional Linear Cryptanalysis Under General Key Randomisation Hypotheses
|
|
- Briana Brianna Payne
- 5 years ago
- Views:
Transcription
1 uccess Probability of Multiple/Multidimensional Linear Cryptanalysis Under General Key Randomisation Hypotheses ubhabrata amajder and Palash arkar Applied tatistics Unit Indian tatistical Institute 03, B.T.Road, Kolkata, India subhabrata.samajder@gmail.com, palash@isical.ac.in Abstract This work considers statistical analysis of attacks on block ciphers using several linear approximations. A general and unified approach is adopted. To this end, the general key randomisation hypotheses for multidimensional and multiple linear cryptanalysis are introduced. Expressions for the success probability in terms of the data complexity and the advantage are obtained using the general key randomisation hypotheses for both multidimensional and multiple linear cryptanalysis and under the settings where the plaintexts are sampled with or without replacement. Particularising to standard/adjusted key randomisation hypotheses gives rise to success probabilities in 6 different cases out of which in only five cases expressions for success probabilities have been previously reported. Even in these five cases, the expressions for success probabilities that we obtain are more general than what was previously obtained. A crucial step in the analysis is the derivation of the distributions of the underlying test statistics. While we carry out the analysis formally to the extent possible, there are certain inherently heuristic assumptions that need to be made. In contrast to previous works which have implicitly made such assumptions, we carefully highlight these and discuss why they are unavoidable. Finally, we provide a complete characterisation of the dependence of the success probability on the data complexity. Keywords: multidimensional linear cryptanalysis, multiple linear cryptanalysis, chi-squared distribution, success probability, data complexity, advantage. Introduction Linear cryptanalysis for block ciphers was introduced by Matsui in []. Matsui s work spurred a great deal of research and considered several aspects of linear cryptanalysis. At a broad level, the attacks are of two types. The goal of one type of attack is to recover a subset of the bits of the secret key and such attacks are called key recovery attacks. A different and weaker type of attack seeks to only distinguish the output of a block cipher from uniform random bits. uch attacks are called distinguishing attacks. In this work, we will be concerned only with key recovery attacks. At a broad level, linear cryptanalysis proceeds in the following manner. A careful study of the block cipher results in one or more linear approximations. During the data collection phase, N plaintexts P,..., P N are chosen and the corresponding ciphertexts under a secret but, fixed key are obtained. The key recovery algorithm is applied to the obtained plaintext-ciphertext pairs and the output is a list of possible values of the partial key. An attack is said to be successful if the correct value of the key is in the output list. For an attack, the success probability is denoted by P ; the data complexity is N; and the attack has an advantage a, if the size of Financial support from the R. C. Bose Center for Cryptology and ecurity, Indian tatistical Institute, Kolkata, India.
2 INTRODUCTION the output list is a times the total number of partial keys. The goal of a statistical analysis of such a key recovery attack is to obtain a relation between P, N and a. A formal statistical treatment of linear cryptanalysis has the following aspects. Multiple versus multidimensional linear cryptanalysis: One issue is whether a single linear approximation is available or, whether several such linear approximations are available. In the later case, analysis is of two types depending on whether the several linear approximations can be considered independent or not. If the analysis is under the independent assumption, then the attack is often called multiple linear cryptanalysis whereas if the independence assumption is not made, then the attack is often called multidimensional linear cryptanalysis. ampling with or without replacement: For the attack, plaintexts P,..., P N are randomly sampled and the corresponding ciphertexts are obtained. One issue is whether the plaintexts are considered to be sampled uniformly at random with replacement or, whether they are considered to be sampled uniformly at random without replacement. Key randomisation hypothesis: The linear approximations hold with certain probabilities. The basis for the attack is that the probability corresponding to the right key is different from the probability corresponding to a wrong key. In the standard key randomisation hypothesis, the probabilities corresponding to both the right and the wrong key are assumed to be fixed. The adjusted or, revised as termed in [7] key randomisation hypothesis assumes that the probabilities themselves are random variables. Our Contributions In this work, we consider the scenario when several linear approximations are available. Our goal is to express P in terms of N and a in each of the above mentioned settings. Table lists all the 6 possible cases that can arise and in each case mentions whether the case has been previously considered in the literature or whether it is new. If a case has occurred earlier, then the corresponding reference is provided and the last column provides the section number of this work where an expression for P can be found. We observe that out of the 6 possible cases, only 6 cases have been considered earlier and in 5 of these cases expressions for success probabilities have been reported. We provide a general and unified treatment to the extent possible and the 6 different cases are obtained as special cases of the general treatment. The route that we take is similar to the route taken in [7] for single linear cryptanalysis. Linear cryptanalysis identifies a target sub-key and attempts to obtain the correct value of the target sub-key in time less than an exhaustive search over all possible values of the whole secret key. At a broad level, linear cryptanalysis applies a statistical test to each possible value of the target sub-key. ection provides an overview of linear cryptanalysis and identifies the test statistic that is to be used. The test statistic is parameterised by the choice of the target sub-key and the distribution of the test statistic depends on whether the choice is right or wrong. For a statistical analysis, it is required to obtain the distributions of the test statistic under both the right and the wrong choices of the target sub-key. The literature provides two approaches for analysing success probability, namely the order statistics based approach and the hypothesis testing based approach. Assuming certain forms of the distributions of the test statistic for the right and the wrong key choices, ection 3 obtains expressions for P following both the order statistic and the hypothesis testing based approaches. Certain problems with the order statistics based approach which were earlier pointed out in [5, 7] are briefly summarised. It is shown that if some approximations are applied to the expression for P obtained using the hypothesis testing based approach then one obtains the expression for P obtained using the order statistics based approach. ince such approximations do not seem
3 INTRODUCTION 3 type samp. RKRH WKRH new previous P new P std std no [6] [6] ection 7.. wr std adj yes ection 7.. adj std no [7] ection 7..3 md adj adj no [7] [7] ection 7..4 std std yes ection 7.. wor std adj yes ection 7.. adj std yes ection 7..3 adj adj no [7] [7] ection 7..4 m wr wor std std yes ection 7.. std adj yes ection 7.. adj std yes ection 7..3 adj adj no [7] [7] ection 7..4 std std yes ection 7.. std adj yes ection 7.. adj std yes ection 7..3 adj adj no [7] [7] ection 7..4 Table : Here md resp. m denotes multidimensional resp. multiple linear cryptanalysis; wr resp. wor denotes sampling with resp. without replacement. RKRH resp. WKRH is an abbreviation for right resp. wrong key randomisation hypothesis; std resp. adj denotes whether the standard resp. adjusted key randomisation hypothesis is considered. to be necessary, the rest of the paper follows the expression for P obtained using the hypothesis testing based approach. The literature has separately considered the standard and the adjusted key randomisation hypotheses. In ection 4, we discuss the existing hypotheses and point out some heuristic assumptions in their formulation that have been implicitly made in the literature. We propose a general right key randomisation hypothesis and a general wrong key randomisation hypothesis and show that the existing key randomisation hypotheses can be obtained as special cases of these two general hypotheses. ection 5 takes up the crucial task of obtaining the distributions of the test statistic. These distributions are obtained under the general right and wrong key randomisation hypotheses. The cases of multidimensional and multiple linear cryptanalysis and that of sampling with and without replacement are treated separately. For obtaining the distributions, we proceed formally to the extent possible. The derivation of the distributions, however, requires several heuristic assumptions. We carefully identify these heuristics and discuss why these cannot be replaced by formal analysis. Distributions of the test statistic under the right and wrong key have been obtained earlier for particular cases. We remark that heuristic assumptions similar to those that we identify have also been implicitly made in previous works. ection 6 obtains expressions for P under the general key randomisation hypotheses for the cases of multidimensional/multiple linear cryptanalysis. It turns out that a compact expression for P can be provided covering both sampling with and without replacement. The expressions for P are obtained by combining the distributions of the test statistics obtained in ection 5 with the expression for P obtained in ection 3 following the hypothesis testing framework. Expressions for P for the 6 possible cases mentioned in Table are obtained in ection 6. These expressions are obtained by specialising the general key randomisation hypotheses to either the standard or the adjusted key randomisation hypothesis for both right and wrong key choices. As mentioned above, expressions for P
4 INTRODUCTION 4 are obtained for the first time in out of the 6 possible cases. In the remaining five cases, making several approximations to the expressions for P that are obtained in this work, it is possible to obtain the expressions for P obtained in earlier works. ince such approximations do not seem to be necessary, even in the remaining five cases, the expressions for P are more general than what was previously known. Intuitively, one may assume that for a fixed value of the advantage a, the success probability is a monotonic increasing function of the data complexity N. On the other hand, the expressions for P show a complicated dependence on N. ection 8 closely analyses the dependence of the success probability on N. To do this, the general and compact expressions for P obtained in ection 6 are used. A complete characterisation of the nature of monotonicity of P on N is obtained. This characterisation is then specialised to the particular cases of standard/adjusted key randomisation hypothesis and sampling with/without replacement. To the best of our knowledge, no previous work in the literature has carried out such an extensive analysis of the monotonic behaviour of P with respect to N. Previous and Related Works Linear cryptanalysis was introduced by Matsui []. An earlier work [30] had considered linear approximation in the context of an attack on -boxes of FEAL. The initial work of Matsui [] considered using a single linear approximation. A subsequent work [] by Matsui himself showed how to improve linear cryptanalysis if two linear approximations are available. Independently, Kaliski and Robshaw [0] also showed that the availability of several linear approximations with certain restrictions leads to an improved attack. Both the attacks [, 0] considered the linear approximations to be independent. Further analysis under the independence assumption of the linear approximations was later done in [4]. Murphy [3] observed that the independence assumption may not be valid. A series of papers [, 3, 9] carried out a systematic investigation of multiple linear cryptanalysis where the linear approximations are not necessarily independent. The motivation of these works was to analyse and obtain optimal distinguishers to distinguish between two distributions. This was done using the framework of hypothesis testing. everal important techniques, including the log-likelihood ratio test, were successfully developed to build optimal distinguishers. Matsui s original work [] employed a ranking approach to key recovery attacks. A subsequent work by elçuk [8] proposed a formal statistical treatment of this approach using the methodology of order statistics. The work by elçuk proved to be quite influential and the order statistics based approach was adopted in a number of later papers [6, 5]. elçuk s work required an asymptotic result on normal approximation of order statistic. A concrete error bound on the normal approximation was obtained in [5] and several problematic issues with the order statistics approach were pointed out. The alternative hypothesis testing based approach to analysing key recovery attacks was suggested in [5] and has been subsequently used in [7]. Treatment of key recovery attacks for multidimensional linear cryptanalysis without requiring any independence assumption on the linear approximations was carried out by Hermelin, Cho and Nyberg [6]. This work followed the order statistic based approach of elçuk [8] and analysis of the same setting using the hypothesis testing based approach was done in [5]. The standard wrong key randomisation hypothesis was formally introduced by Harpes et al. in [5]. The first work to consider the adjusted key randomisation hypothesis was by Bogdanov and Tischhauser []. This was in the setting of single linear cryptanalysis. The formulation of the adjusted key randomisation hypothesis was based on an earlier work on statistical properties of uniform random permutation by Daemen and Rijmen [4]. A later work on adjusted key randomisation hypotheses for single linear approximation is by Ashur et al. []. A general and unified treatment of success probability under general key randomisation hypotheses for single linear cryptanalysis has been done in [7]. Extension of the adjusted right key randomisation hypothesis from single to multidimensional linear cryptanalysis was considered in Huang et al. [7]. The work did not provide an expression for the success probability.
5 LINEAR CRYPTANALYI 5 Out of the 6 possible cases listed in Table, four cases were considered by Blondeau and Nyberg in [7] and expressions for P obtained in these cases. As mentioned earlier, these expressions are less general than the ones that we obtain in the present work. A related line of work [0,, 9, 8] considers zero correlation attacks. The notion of sampling without replacement was first considered in the setting of multidimensional zero correlation attack [9]. In this paper, we do not consider zero correlation attacks. Much of the analysis in the context of linear cryptanalysis is based on approximations where the errors in the approximations are not known. A more rigorous approach has been advocated in [4] where such approximations are avoided and instead rigorous upper bounds on the data complexity are obtained. A test statistic whose analysis avoids approximations and also avoids some of the problems associated with the generally used test statistics has been proposed in [6]. Linear Cryptanalysis Let the function E : {0, } k {0, } n {0, } n denote a block cipher such that for each K {0, } k, E K = EK, is a bijection from {0, } n to itself. Here K is called the secret key. The n-bit input to the block cipher is called the plaintext and n-bit output of the block cipher is called the ciphertext. In general, block cipher constructions involve a simple round function parametrised by round key iterated over several rounds. The round functions are bijections of {0, } n. Round keys are produced by applying an expansion function, called the key scheduling algorithm, to the secret key K. Denote the round keys by k 0, k,... and round functions by R 0, R,.... Also, let K i denote the concatenation of the first i round k 0 k keys, i.e., K i = k 0 k i and E i denote the composition of the first i round functions, i.e., K i E K = R 0 k 0 ; E i K i = R i k i R 0 k 0 = R i k i E i k i ; i. A reduced round cryptanalysis of a block cipher targets r + rounds of the total number of rounds proposed by the block cipher design. For a plaintext P, we denote by C the output after r + rounds, i.e., C = E r+ P, K r+ and by B the output after r rounds, i.e, B = E r P and C = R r B. Throughout this paper, we will be K r k r assuming an attack on the first r + rounds of an iterated block cipher with r + rounds. Linear approximations: Block cipher cryptanalysis starts off with a detailed analysis of the block cipher. This results in one or possibly more relations between the plaintext P, the input to the last round B and possibly the expanded key K r. In case of linear cryptanalysis these relations are linear in nature and are of the following form: Γ i P, P Γi B, B = Γi K, Kr ; i =,,..., l; where Γ i P, Γi B {0, }n and Γ i {0, } nr denote the plaintext mask, the mask to the input of the last round K r and the key mask. A linear relation of the form above is called a linear approximation of the block cipher. These linear approximations usually hold with some probability which is taken over random choices of the plaintext P. In case l >, it is required to work with the corresponding joint distribution. Obtaining such relations and their joint distribution is a non-trivial task and requires a lot of ingenuity and experience. They form the basis on which the statistical analysis of block ciphers are built. In this work we will only consider l >. There are two cases. Multiple linear cryptanalysis: The linear approximations are assumed to be independent. Multidimensional linear cryptanalysis: The linear approximations are not assumed to be independent.
6 LINEAR CRYPTANALYI 6 Let i L i = Γ P, P Γi B, B ; for i =,,..., l. Inner key bits: Let z i = Γ i K, Kr ; i =,..., l. Note that for a fixed but unknown key K r, z i represents a single unknown bit. Denote by z = z,..., z l the collection of the bits arising in this manner. ince, all the l key masks Γ K,..., Γl K are known, the tuple z is determined only by the unknown but fixed K r. Hence, there is no randomness either of K r or z. We call z as the inner key bits. Target sub-key bits: Any linear relation between P and B of the form usually involves only a subset of the bits of B. When l >, several relations between P and B are known. In such cases, it is required to consider the subset of the bits of B which covers all the relations. In order to obtain these bits from the ciphertext C it is required to partially decrypt C by one round. This involves a subset of the bits of the last round key k r. We call this subset of bits of k r as the target sub-key. Recall that the ciphertext C is obtained by encrypting P using the secret key K. Let κ denote the value of the target sub-key corresponding to the secret key K. The goal of linear cryptanalysis is then to find the correct value of the target sub-key κ using the l linear approximations and their joint or marginal distributions. Denote the size of the target sub-key by m. In other words, these m key bits are sufficient to partially decrypt C by one round and obtain the bits of B involved in any of the l linear approximations. There are m possible choices of the target sub-key out of which only one correct. The purpose of the attack is to identify the correct key. Joint distribution parametrised by inner key bits: Let the plaintext P be chosen uniformly at random from {0, } n ; C be the ciphertext obtained after encrypting with the secret key K; and B the result of partial decryption of C with a choice κ of the target sub-key. The random variable B depends on the choice κ used to invert C partially by one round whereas the ciphertext C depends on the correct choice κ of the target sub-key and hence so does B. o the random variable L i depends on both κ and κ. Hence, to emphasise this dependence we write L κ,κ,i for κ κ and simply write L κ,i for κ = κ. Define the random variables X κ,κ and X κ as follows: X κ,κ = L κ,κ,,..., L κ,κ,l and X κ,i = L κ,,..., L κ,l. Also, define the joint distribution of the random variables X κ,κ z and X κ z to be q κ,κ,zη = Pr[L κ,κ, = η z,..., L κ,κ,l = η l z l ] = l + ɛ κ,κ,ηz; and p κ,zη = Pr[L κ, = η z,..., L κ,l = η l z l ] = l + ɛ κ,ηz 3 respectively, where / l ɛ κ,κ,ηz, ɛ κ,ηz / l. Denote by q κ,κ,z = q κ,κ,z0, q κ,κ,z,..., q κ,κ,z l and p κ,z = p κ,z0, p κ,z,..., p κ,z l the corresponding probability distributions, where the integers {0,,..., l } are identified with the set {0, } l. For each choice of z, we obtain a different but related distribution. Let z = z β for some β {0, } l. It is easy to verify that ɛ κ,κ,ηz = ɛ κ,κ,η βz and ɛ κ,ηz = ɛ κ,η βz, which implies that q κ,κ,z βη = q κ,κ,zη β and p κ,z βη = p κ,zη β. 4
7 LINEAR CRYPTANALYI 7 Let p κ and q κ,κ denote the probability distributions p κ,0 l and q κ,κ,0l, respectively. We write For i =,..., l, define q κ,κ = q κ,κ 0,..., q κ,κ l and p κ = p κ 0,..., p κ l. 5 q κ,κ,i = Pr[L κ,κ,i = ] and p κ,i = Pr[L κ,i = ]. 6 tatistical model of the attack: Let P,..., P N, with N n, be N plaintexts chosen randomly from the set {0, } n of all possible plaintexts and assume that these N plaintexts follow some distribution over the set {0, } n. Also assume that the adversary possess N plaintext-ciphertext pairs P j, C j ; j =,,..., N, such that C j = E K P j for some fixed key K. Given N plaintext-ciphertext pairs, the goal of the adversary is then to find κ in time faster than a brute force search on all possible keys of the block cipher. For each choice κ of the target sub-key it is possible for the attacker to partially decrypt each C j by one round to obtain B κ,j ; j =,,..., N. Note that B κ,j is dependent on κ even though C j may not be. For κ = κ, C j clearly depends on κ, whereas for the κ κ, C j has no relationship with κ. Define, L κ,i,j = Γ i P, P j Γ i B, B κ,j, 7 X κ,z,j = L κ,,j z,..., L κ,l,j z l, 8 Q κ,z,η = #{j {,,..., N} : X κ,z,j = η}, 9 where κ {0,,,..., m }; z,..., z l {0, }; j =,,..., N; i =,,..., l. Note that The condition X κ,z β,j = η is written as where β = β,..., β l. Therefore, η {0,} l Q κ,z,η = N. 0 L κ,,j z β,..., L κ,l,j z l β l = η L κ,,j z,..., L κ,l,j z l β l = η β X κ,z,j = η β, Q κ,z β,η = Q κ,z,η β. The variable X κ,z,j is determined by the pair P j, C j, the choice κ of the target sub-key and the choice z of the inner key bits. Recall that C j depends upon K and hence upon κ which implies that X κ,z,j also depends upon κ through C j. The randomness of X κ,z,j arises from the randomness in P j and also possibly from the randomness of the previous P,..., P j. In fact it depends on how P,..., P N are sampled from {0, } n. Therefore Pr[X κ,z,j = η] potentially depends upon the following quantities: z : the choice of the inner key bits; p κ,zη or p κ,κ,zη : the probabilities of linear approximations as given in and 3. j : the index determining the pair P j, C j. This models a general scenario which captures a possible dependence on the index j. The dependence on j will be determined by the joint distribution of the plaintexts P,..., P N. In the case that P,..., P N are independent and uniformly distributed, Pr[X κ,z,j = η] does not depend on j. On the other hand, suppose that P,..., P N are sampled without replacement. In such a scenario, Pr[X κ,z,j = η] does depend on j.
8 LINEAR CRYPTANALYI 8 Test statistic for multidimensional linear cryptanalysis: For each choice κ of the target sub-key and the inner key bits z, let T κ,z T X κ,z,,..., X κ,z,n denote the test statistic. Then T κ,z = η {0,} l Qκ,z,η N l N l. T κ,z β = = = η {0,} l η {0,} l η β {0,} l Qκ,z β,η N l N l Qκ,z,η β N l N l ; [By ] Qκ,z,η N l N l = η {0,} l Qκ,z,η N l N l = T κ,z. o T κ,z is independent of z. Therefore it is sufficient to consider z = 0 l. To simplify notation, we will write T κ instead of T κ,z. Therefore, T κ = Qκ,η N l N l. η {0,} l There are m choices of κ, which give rise to m random variables T κ. The distribution of T κ depends on whether κ is correct or incorrect. For statistical analysis of an attack, it is required to obtain the distribution of T κ under both correct and incorrect choices of the target sub-key. Later we will consider this issue in more details. Remark: Recall that, since there is no randomness over K r, the bits z i s also have no randomness even though they are unknown. Therefore the distribution of L κ,i,j z i is completely determined by the distribution of L κ,i,j. Test statistic for multiple linear cryptanalysis: In this case, the linear approximations are assumed to be independent. As a result, it is possible to define a simpler test statistic. For each choice κ of the target sub-key and inner key bits z = z,..., z l, let Y κ,z,i,j = L κ,i,j z i and Y κ,z,i = N Y κ,z,i,j, where i =,..., l and j =,..., N. For z = 0 l, we simply write Y κ,i,j and Y κ,i instead of Y κ,z,i,j and Y κ,z,i respectively. Let β = β,..., β l. If β i = 0, then Y κ,z β,i,j = Y κ,z,i ; if β i =, then Y κ,z β,i,j = L κ,i,j z i and Y κ,z β,i = N Y κ,z,i. Consequently, for any β, Y κ,z,i N/ = Y κ,z β,i N/. Let T κ,z T X κ,z,,..., X κ,z,n denote the test statistic l Y κ,z,i N/ T κ,z =. N/4 For β = β,..., β l, i= j= T κ,z β = l Y κ,z β,i N/ i= N/4 = l Y κ,z,i N/ = T κ,z. N/4 i=
9 LINEAR CRYPTANALYI 9 o, T κ,z is independent of β and as in the multidimensional case, it is sufficient to consider z = 0 l. We will write T κ instead of T κ,0 l and this is defined as follows. T κ = l Y κ,i N/. 3 N/4 i= uccess probability: An attack will produce a set or a list of candidate values of the target sub-key. The attack is considered successful if the correct value of the target sub-key κ is in the output set. The probability of this event is called the success probability of the attack. Advantage: An attack is said to have advantage a if the size of the set of candidate values of the target sub-key is equal to m a. In other words, a fraction a portion of the possible m values of the target sub-key is produced by the attack. Data complexity: The number N of plaintext-ciphertext pairs required for an attack is called the data complexity of the attack. Clearly, N depends on the success probability P and the advantage a. One of the goals of a statistical analysis is to be able to obtain a closed form relation between N, P and a. Additional Notation Capacity: Let p = p 0,..., p l be a probability distribution over {0, } l. The multidimensional capacity C md p is defined as l l C md p = l p i l = l ɛ i 4 i=0 where ɛ = p i l. When p is clear from the context, we will simply write C md instead of C md p. There is a corresponding notion [7] which is useful in the case of multiple linear cryptanalysis. Let p = p,..., p l be such that 0 p i, i =,..., l; then C m p is defined to be i=0 C m p = l 4 p i / = i= l 4ɛ i 5 i= where ɛ = p i /. When p is clear from the context, we will simply write C m instead of C m p. Normal distribution: By N µ, σ we will denote the normal distribution with mean µ and variance σ. The density function of N µ, σ will be denoted by fx; µ, σ. The density function of the standard normal will be denoted by φx while the distribution function of the standard normal will be denoted by Φx. Chi-squared distribution: The probability density function of a central chi-square distribution with ν degrees of freedom will be denoted by χ νx and its corresponding cumulative density function will be denoted by Ψ ν x. The density function of a non-central chi-square distribution with ν degrees of freedom and a non-centrality parameter δ will be denoted by χ ν,δ x and its cumulative density function will be denoted by Ψ ν,δx.
10 3 TWO APPROACHE FOR DERIVING UCCE PROBABILITY 0 3 Two Approaches for Deriving uccess Probability The test statistic for the multidimensional case is given in and for the multiple case is given in 3. To obtain the success probability of an attack it is required to obtain the corresponding distributions of T κ for the two scenarios κ = κ and κ κ. uppose that the following holds. T κ N µ 0, σ 0; T κ /ω χ ν, κ κ, 6 where ω > 0 is a constant. In this section, we consider the derivation of the success probability in terms of µ 0, σ0, ν and ω. Later, we will see how to obtain µ 0, σ0, ν and ω. In particular, we will see that δ depends on N whereas ν depends on the number of linear approximations l. From 6, there are two approaches to deriving success probability which we discuss below. 3. Order tatistics Based Analysis This approach is based on a ranking methodology used originally by Matsui [] and later formalised by elçuk [8]. The idea is the following. There are m random variables T κ corresponding to the m possible values of the target sub-key. uppose the variables are denoted as T 0,..., T m and assume that T 0 corresponds to the choice of the correct target sub-key κ. Let T,..., T m be the order statistics of T,..., T m, i.e., T,..., T m is the ascending order sort of T,..., T m. o, the event corresponding to a successful attack with a-bit advantage is T 0 > T m q, where q = a. Using a well known result on order statistics, the distribution of T m q can be assumed to approximately follow N µ q, σq where µ q = Ψ ν a and σq = m+a a χ νµ q. For the asymptotic version of the result refer to [3] and for a concrete error bound refer to [5]. Further assuming that T 0 and T m q are independent the success probability P can be approximated in the following manner. P = Pr[T 0 > T m q] = Pr[T 0 T m q > 0] Φ µ 0 µ q = Φ µ 0 µ q σ0 + σ q σ0 + σ q = Φ µ 0 Ψ ν a ; 7 σ0 + σ q where µ 0 = E[T 0 ] = E[T κ ] = ν + δ and σ 0 = E[T 0 µ 0 ] = E[T κ µ 0 ] = ν + δ. ome criticisms: The order statistics based approach is crucially dependent on the normal approximation of the distribution of the order statistics. A key observation is that the order statistics result is applied to m random variables and for the result to be applied even in an asymptotic context, it is necessary that m is sufficiently large. In [5] a close analysis of the hypothesis of the theorem and the error bound in the concrete setting showed that both m and m a must be large. In particular, to ensure that the approximation error is at most around 0 3, it is required that m a should be at least around 0 bits. ince a is the advantage of the attack, the applicability of the order statistics based analysis for attacks with high advantage is not clear. For the analysis to be meaningful one needs to make two further independence assumptions which were implicitly used by elçuk in [8]. This issue has been pointed out in [7].
11 3 TWO APPROACHE FOR DERIVING UCCE PROBABILITY. The hypothesis of the result on the normal approximation of order statistics requires the random variables T, T,..., T m to be independent and identically distributed. The randomness of all of these random variables arise from the randomness of P,..., P N and so these random variables are certainly not independent. As a result, the independence of these random variables is a heuristic assumption.. It is assumed that T 0 T m q follows a normal distribution. A sufficient condition for T 0 T m q to follow a normal distribution is that T 0 and T m q are independent normal variates. ince the randomness of both T 0 and T m q arise from the randomness in P,..., P N, they are clearly not independent. As a result, the assumption that T 0 T m q follows a normal distribution is also a heuristic assumption. The net effect of the above two assumptions is that the test statistics corresponding to different choices of the sub-key are independent. 3. Hypothesis Testing Based Analysis tatistical hypothesis testing for analysing block cipher cryptanalysis was carried out in [] in the context of distinguishing attacks. For analysing linear cryptanalysis based key recovery attacks, the hypothesis testing based approach was used in [5] as a method for overcoming some of the theoretical limitations of the order statistics based analysis. ubsequently, hypothesis testing based approach for analysing key recovery attacks in the context of key dependent assumptions was performed in [7]. The idea of the hypothesis testing based approach is simple and intuitive. For each choice κ of the target sub-key, let H 0 be the null hypothesis that κ is correct and H be the alternative hypothesis that κ is incorrect. The test statistic T κ is used to test H 0 against H where the distributions of T κ are as in 6 for both κ = κ and κ κ. From 6, we get E[T κ ] = µ 0 and E[T κ ] = ν. Later on we will see that µ 0 = ν + δ, where δ > 0 is a constant. ince E[T κ ] = µ 0 > ν = E[T κ ], the following hypothesis test is considered. } H 0 : κ is correct; versus H : κ is incorrect. 8 Decision rule: Reject H 0 if T κ t. Here t is a threshold whose exact value is determined depending on the desired success probability and advantage. The idea of the test is the following. The mean µ 0 under H 0 is greater than the mean ν under H, so, if the value of the test statistic is lesser than a certain threshold, it is guessed that H 0 does not hold. uch a hypothesis test gives rise to two kinds of errors: H 0 is rejected when it holds which is called the Type- error; and H 0 is accepted when it does not hold which is called the Type- error. If a Type- error occurs, then κ = κ is the correct value of the target sub-key but, the test rejects it and so the attack fails to recover the correct value. The attack is successful if and only if Type- error does not occur. o, the success probability P = Pr[Type- error]. On the other hand, for every Type- error, an incorrect value of κ gets labelled as a candidate key. As a result, the number of times that Type- errors occurs is the size of the list of candidate keys. Theorem. Let κ {0, } m. For κ {0, } m, let T κ be m random variables, where T κ N µ 0, σ0, and for κ κ, T κ /ω χ ν for some constant ω > 0. uppose the hypothesis test given in 8 is applied to T κ for all κ {0, } m. Let P = Pr[Type- error] and the expected number of times that Type- errors occurs is m a. Then µ0 ωγ P = Φ 9 where γ = Ψ m a. m σ 0
12 3 TWO APPROACHE FOR DERIVING UCCE PROBABILITY Proof. Let α = Pr[Type- error] and β = Pr[Type- error] and so P = α. For each κ κ, let Z κ be a binary valued random variable which takes the value if and only if a Type- error occurs for κ. o, Pr[Z κ = ] = β. The size of the list of candidate keys returned by the test is κ κ Z κ and so the expected size of the list of candidate keys is E Z κ = E [Z κ ] = Pr[Z κ = ] = m β. 0 κ κ κ κ κ κ The expected number of times that Type- errors occurs is m a. o, The Type- and Type- error probabilities are calculated as follows. α = Pr[Type- error] = Pr[T κ t H 0 holds] β = m a m. = Pr[T κ t] t µ0 = Φ ; σ 0 β = Pr[Type- error] Using β = m a / m in 3, we obtain = Pr[T κ > t H holds] = Pr[T κ /ω > t/ω H holds] = Ψ ν t/ω. 3 t = ωψ ν ubstituting t in and noting that P = α, we obtain µ0 ωγ P = Φ. m a m = ωγ. 4 σ 0 Remarks:. Note that γ = Ψ m a / m 0.. The computation in 0 does not require the Z κ s or the T κ s to be independent. 3. The theoretical limitations of the order statistics based analysis namely, m and m a are large and the heuristic assumption that the T κ s are independent are not present in the hypothesis testing based analysis. 4. Comparing 9 to 7, we find that the two expressions are equal under the following three assumptions: a m / m : this holds for moderately large values of m, but, is not valid for small values of m. b σ 0 σ q : this assumption was used in [8]. c ω. In the rest of the work, we will use 9 as the expression for the success probability.
13 4 GENERAL KEY RANDOMIATION HYPOTHEE 3 4 General Key Randomisation Hypotheses At this point it is important to make the distinction between multiple and multidimensional linear cryptanalysis as it appears in the literature. Multiple linear cryptanalysis [4] refers to linear attacks using l linear approximations where the linear approximations are assumed to be statistically independent. Whereas in multidimensional linear cryptanalysis [6] the attacker exploits all linear approximations with linear masks Γ P, Γ B 0, 0 in a linear space. In other words, in multidimensional linear cryptanalysis the linear approximations are not assumed to be statistically independent. Therefore, in case of multidimensional linear cryptanalysis the attacker works with the joint distribution of the l linear approximations whereas in case of multiple linear cryptanalysis the attacker works with the marginal distributions. Recall the definitions of q κ,κ η and p κ η from 5. The corresponding biases are ɛ κ,κ η and ɛ κ η. For obtaining the distributions of T κ and T κ, κ κ, it is required to hypothesise the behaviour of p κ η and q κ,κ η, respectively. 4. General Multidimensional Key Randomisation Hypotheses The two standard multidimensional key randomisation hypotheses are the following. tandard multidimensional right key randomisation hypothesis: For every choice of κ, p κ η = p η, such that 0 < p η < and η {0,} l p η =. tandard multidimensional wrong key randomisation hypothesis: For every choice of κ and κ κ, q κ,κ η = l for all η {0, } l. The standard wrong key randomisation hypothesis for l = was formally considered in [5] and later generalised to l > in [6]. Based on the work in [4] the standard wrong key randomisation for l = was modified in [] and for l > in [7]. An earlier version [6] of [7] uses the following formulation. Remarks: Adjusted multidimensional wrong key randomisation hypothesis: For each κ κ, η {0, } l, q κ,κ η N, l n+l and qκ,κ 0,..., q l κ,κ l are independent.. In this hypothesis, there is no explicit dependence of the bias on either κ or κ.. As q κ,κ η is a probability, 0 q κ,κ η. On the other hand, a random variable following a normal distribution can take any real value. o, the above hypothesis may lead to q κ,κ η taking a value outside the range [0, ] which is not meaningful. As a result, the adjusted wrong key randomisation hypothesis must necessarily be considered to be a heuristic assumption. 3. The probability that q κ,κ η takes values outside of [0, ] can be bounded as follows. Pr[q κ,κ η < 0 or q κ,κ η > ] = Pr[q κ,κ η < 0] + Pr[q κ,κ η > ] = Pr[q κ,κ η l < l ] + Pr[q κ,κ η l > l ] Pr[ q κ,κ η l < l ] + Pr[ q κ,κ η l > l ] n+l l l + n+l l l [By Chebyshev s inequality] = l n + n l + n+l. n l n l + n l
14 4 GENERAL KEY RANDOMIATION HYPOTHEE 4 In other words, q κ,κ η takes values outside [0, ] with exponentially low probability, provided that n l is large; if n l is not too large, then the probability is not negligible. Modification of the right key randomisation hypothesis was first considered in [7] in the context of multidimensional linear cryptanalysis. In [7], Theorem of [3] was taken as the right key hypotheses, i.e., it was assumed that even for the right choice of the target sub-key, the probability of a linear approximation follows a normal distribution. This assumption was later used in [7] and the following can be stated. Remarks: Adjusted multidimensional right key randomisation hypothesis: For all η {0, } l, p κ η N p η, σ, where 0 < p η < is a constant such that η {0,} l p η = and each subset of l random variables out of l possible random variables q κ,κ η are independent and this set determines the remaining random variable uniquely.. The first two remarks for adjusted multidimensional wrong key randomisation hypothesis also holds for adjusted multidimensional right key randomisation hypothesis.. ince the form of σ is not given nothing can be said about the probability that p κ η lies outside [0, ]. 3. The random variables p κ 0,..., p κ l are not assumed to be independent. On the other hand, while the marginals are assumed to follow normal distribution, no assumption is made on the joint distribution. The normality of the marginals do not imply that the joint distribution is also normal. 4. The assumption that each possible subset of l random variables out of l possible random variables p κ η are independent is a heuristic assumption. The rationale for this assumption is perhaps to justify that the distribution of the test statistic under the right key follows a non-central chi-squared distribution. This assumption, however, is not sufficient for this purpose, as we discuss later. Let C be the expected value of l η {0,} lp κ η l, i.e., C = l η {0,} l E[p κ η l ]. 5 In [7], the value of σ in the adjusted right key randomisation hypothesis is expressed in terms of C and the capacity C md in the following manner. C = l η {0,} l E[p κ η l ] = l η {0,} l E[p κ η p η + p η l + p η l p κ η p η ] = l σ + C md σ = C Cmd l. Motivated by the description of the standard and adjusted right and wrong key randomisation hypotheses in [7] we formulate the following general multidimensional key randomisation hypotheses for both the right and the wrong key. 6
15 4 GENERAL KEY RANDOMIATION HYPOTHEE 5 General multidimensional right key randomisation hypothesis: For all η {0, } l, p κ η N p η, s 0, where 0 < pη < is a constant such that η {0,} l p η = and each subset of l random variables out of l possible random variables p κ η are independent and this set determines the remaining random variable uniquely. Further, s 0 n. General multidimensional wrong key randomisation hypothesis: For each κ κ, η {0, } l, q κ,κ η N, s, where s l n ; and q κ,κ 0,..., q κ,κ l are independent. The heuristic nature of the adjusted right and wrong key hypotheses discussed earlier also hold for the general hypotheses.. As s 0, the random variable q κ,κ η becomes degenerate and takes the value l. In this case, the general multidimensional wrong key randomisation hypothesis becomes the standard multidimensional wrong key randomisation hypotheses.. For s = n+l, the general multidimensional wrong key randomisation hypothesis becomes the l adjusted multidimensional wrong key randomisation hypothesis. 3. As s 0 0, the general multidimensional right key randomisation hypothesis reduces to the standard multidimensional right key randomisation hypothesis. 4. For s 0 = σ, the general multidimensional right key randomisation hypothesis becomes the adjusted multidimensional right key randomisation hypothesis. 4. General Multiple Key Randomisation Hypotheses For a single linear approximation, the standard/adjusted/general wrong and right key randomisation hypotheses have been proposed in the literature [5,, 7]. The extension to multiple linear cryptanalysis is essentially extending to several independent linear approximations. This requires making assumptions on p κ,i and q κ,κ,i given by 6. The standard multiple right and wrong key randomisation hypotheses were first considered in [4] and can be stated as follows. tandard multiple right key randomisation hypothesis: For each choice of κ and for i =,..., l, p κ,i = p i with 0 < p i <. tandard multiple wrong key randomisation hypothesis: For each choice of κ and κ κ, and for i =,..., l, q κ,κ,i = /. Based on [4], the multiple wrong key randomisation hypothesis was modified in [6] which is an earlier version of [7] in the following manner. Adjusted multiple wrong key randomisation hypothesis: For each κ κ and for i =,..., l, q κ,κ,i i.i.d. N, n. Remarks: The remarks given below are essentially extensions of similar comments given in [7] in the context of single linear approximation.. There is no explicit dependence of the bias on either κ or κ.. As q κ,κ,i is a probability it takes values from [0, ]. On the other hand, a random variable following a normal distribution can take any real value. o, similar to the multidimensional case, here also, the above hypothesis may lead to q κ,κ,i taking a value outside the range [0, ] which is not meaningful. Hence, the adjusted wrong key randomisation hypothesis must necessarily be considered to be a heuristic assumption.
16 4 GENERAL KEY RANDOMIATION HYPOTHEE 6 3. The variance n is an exponentially decreasing function of n and by Chebyshev s inequality Pr[ q κ,κ,i / > /] 4 n = n. In other words, q κ,κ,i takes values outside [0, ] with exponentially low probability. Modification of the standard right key randomisation hypothesis in the context of multiple linear approximation was considered in [7]. The formulation given below follows [6]. Adjusted multiple right key randomisation hypothesis: For all κ and for i =,..., l, p κ,i i.i.d. N p i, σ. Remarks: The first two remarks for the adjusted multiple wrong key randomisation hypothesis also hold in this case. As the mathematical form of σ is not given, nothing can be said about the probability that a particular p κ,i lies outside [0, ]. Motivated by the description of the standard and adjusted right and wrong key randomisation hypotheses in [7] we formulate the following general multiple key randomisation hypotheses for both the right and the wrong key. General multiple right key randomisation hypothesis: For all κ and for i =,..., l; p κ,i i.i.d. N p i, s 0, where pi [0, ] and s 0 n. General multiple wrong key randomisation hypothesis: For all κ and κ κ, and for i =,..., l; q κ,κ,i i.i.d. N, s, where s n. The heuristic nature of the adjusted right and wrong key hypotheses discussed earlier also hold for the general hypotheses. We note the following.. As s 0 0, the random variable p κ,i becomes degenerate and takes the value of the constant p i. In this case, the general multiple right key randomisation hypothesis becomes the standard multiple right key randomisation hypothesis.. For s 0 = σ, the general multiple right key randomisation hypothesis becomes the adjusted multiple right key randomisation hypothesis. 3. As s 0, the random variable q κ,κ,i becomes degenerate and takes the value /. In this case, the general multiple wrong key randomisation hypothesis becomes the standard multiple wrong key randomisation hypothesis. 4. For s = n, the general multiple wrong key randomisation hypothesis becomes the adjusted multiple wrong key randomisation hypothesis. 4.3 Differences with the Formulation of the Various Hypotheses in [7] We have postulated the various hypotheses as conditions on p κ and q κ,κ given by 5 in the case of multidimensional linear cryptanalysis and as conditions on p κ,i and q κ,κ,i given by 6 in the case of multiple linear cryptanalysis. This follows the approach taken in an earlier version [6] of [7]. The hypotheses in the published version [7] are of the following types.. For the multidimensional case, the adjusted right key randomisation hypothesis is formulated as an assumption on p κ as in the earlier version [6] while the adjusted wrong key randomisation hypothesis is formulated as an assumption on Q κ,η N l.. For the multiple case, the adjusted right key randomisation hypothesis is formulated as an assumption on Y κ,i N/ while the adjusted wrong key randomisation hypothesis is formulated as an assumption on Y κ,i N/.
17 5 HEURITIC DITRIBUTION OF THE TET TATITIC 7 o, in [7], out of four cases, in one case the assumption is on underlying probability while in the other three cases, the assumptions are on derived random variables. In our opinion, if one follows the work in [4], then the assumptions should be on the underlying probabilities rather than on the derived random variables. That is why we have chosen to state the hypotheses as formulated in [6]. We emphasise that the general formulation that we present here and the detailed consideration of the heuristic nature of these hypotheses do not appear either in [6] or in [7]. 5 Heuristic Distributions of the Test tatistics The form of the test statistic T κ is given by for multidimensional linear cryptanalysis and by 3 for multiple linear cryptanalysis. As outlined in ection 3, to obtain the success probability it is required to obtain the distributions of T κ for both the right and wrong choices of κ. In the case of mutidimensional linear cryptanalysis, T κ is defined from the Q κ,η s and so to obtain the distribution of T κ it is required to obtain the distribution of Q κ = Q κ,0,..., Q κ, l. imilarly, in the case of multiple linear cryptanalysis, T κ is defined from Y κ,i and to obtain the distribution of T κ it is required to obtain the distribution of Y κ,,..., Y κ,l. The derivations of the distributions of T κ under the various settings are heuristic and provide only a rough approximation where it is hard to estimate the error in approximation. We explain this issue in the context of multidimensional linear cryptanalysis where sampling with replacement is used, but, similar considerations hold in the other settings. In the setting of multidimensional linear cryptanalysis, T κ given by is defined from the random vector Q κ = Q κ,0,..., Q κ, l where Q κ,η s are defined as in 9 satisfying the condition given in 0. For sampling with replacement, Q κ follows a multinomial distribution and Q κ,η follows BinN, p κ η where p κ η is heuristically assumed to follow a normal distribution. The p κ η s are not assumed to be independent. The mean vector of the random vector Q κ is Np κ 0,..., Np κ l. The distribution of a random variable whose parameters are also random variables is called a compound distribution. If the p κ η s took values in [0, ], then it would have been possible to formally consider the distribution of Q κ. ince the p κ η s are assumed to follow normal, they can take values outside of [0, ] and so, we see no way of formally deriving the distribution of Q κ. The heuristic assumption of normality on p κ η implies that the distribution of Q κ and hence of T κ are both fundamentally heuristic assumptions. It is not possible to derive these distributions formally; one can only try to provide some justification for the heuristic assumptions. The key randomisation hypotheses postulates that the marginals p κ η s are approximately normal. It does not postulate anything about the joint distribution of the p κ η s. If the marginals are normal, it does not necessarily follow in fact, it mostly does not that the joint distribution is also normal. From the normal assumption on the marginals p κ η s, we can only heuristically argue as argued in ection 5. below that each of the marginals Q κ,η follow an approximate normal distribution. Nothing can be proved about the joint distribution of the Q κ,η s. Instead, it is required to make a heuristic assumption that Q κ follows a multivariate normal distribution. Further, this heuristic assumption does not clarify the nature of the variance-covariance matrix of the multivariate normal distribution of Q κ. The form of T κ given by suggests that the distribution of T κ should be given by a suitable chi-squared distribution. This would follow if it is possible to show that the Q κ approximately follows a multivariate normal distribution whose variance-covariance matrix satisfies the conditions of Theorem A. of Appendix 6. ince this cannot be proved formally, it is heuristically assumed that Q κ follows an appropriate multivariate normal so that the distribution of T κ can be approximated by a chi-squared distribution. Note that for the actual computation of the parameters degrees of freedom and the non-centrality parameter of the chi-squared distribution, it is sufficient to have the mean vector for Q κ. ince it is possible to heuristically justify that the marginals for Q κ follow an approximate normal distribution, an approximation of the mean vector for Q κ can be obtained. o, it is possible to obtain approximate values of the parameters of the chi-squared
Another Look at Success Probability in Linear Cryptanalysis
Another Look at uccess Probability in Linear Cryptanalysis ubhabrata amajder and Palash arkar Applied tatistics Unit Indian tatistical Institute 03, B.T.Road, Kolkata, India - 70008. subhabrata.samajder@gmail.com,
More informationAnother Look at Normal Approximations in Cryptanalysis
Another Look at Normal Approximations in Cryptanalysis Palash Sarkar (Based on joint work with Subhabrata Samajder) Indian Statistical Institute palash@isical.ac.in INDOCRYPT 2015 IISc Bengaluru 8 th December
More informationTwo hours. To be supplied by the Examinations Office: Mathematical Formula Tables and Statistical Tables THE UNIVERSITY OF MANCHESTER
Two hours MATH20802 To be supplied by the Examinations Office: Mathematical Formula Tables and Statistical Tables THE UNIVERSITY OF MANCHESTER STATISTICAL METHODS Answer any FOUR of the SIX questions.
More informationResults of the block cipher design contest
Results of the block cipher design contest The table below contains a summary of the best attacks on the ciphers you designed. 13 of the 17 ciphers were successfully attacked in HW2, and as you can see
More informationWeek 2 Quantitative Analysis of Financial Markets Hypothesis Testing and Confidence Intervals
Week 2 Quantitative Analysis of Financial Markets Hypothesis Testing and Confidence Intervals Christopher Ting http://www.mysmu.edu/faculty/christophert/ Christopher Ting : christopherting@smu.edu.sg :
More informationComputational Independence
Computational Independence Björn Fay mail@bfay.de December 20, 2014 Abstract We will introduce different notions of independence, especially computational independence (or more precise independence by
More informationMultiple Modular Additions and Crossword Puzzle Attack on NLSv2
Multiple Modular Additions and Crossword Puzzle Attack on NLSv2 Joo Yeon Cho and Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationFinancial Mathematics III Theory summary
Financial Mathematics III Theory summary Table of Contents Lecture 1... 7 1. State the objective of modern portfolio theory... 7 2. Define the return of an asset... 7 3. How is expected return defined?...
More informationMultiple Modular Additions and Crossword Puzzle Attack on NLSv2
Multiple Modular Additions and Crossword Puzzle Attack on NLSv2 Joo Yeon Cho and Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Department of Computing, Macquarie University,
More informationYao s Minimax Principle
Complexity of algorithms The complexity of an algorithm is usually measured with respect to the size of the input, where size may for example refer to the length of a binary word describing the input,
More information12 The Bootstrap and why it works
12 he Bootstrap and why it works For a review of many applications of bootstrap see Efron and ibshirani (1994). For the theory behind the bootstrap see the books by Hall (1992), van der Waart (2000), Lahiri
More informationLecture 5. 1 Online Learning. 1.1 Learning Setup (Perspective of Universe) CSCI699: Topics in Learning & Game Theory
CSCI699: Topics in Learning & Game Theory Lecturer: Shaddin Dughmi Lecture 5 Scribes: Umang Gupta & Anastasia Voloshinov In this lecture, we will give a brief introduction to online learning and then go
More informationGPD-POT and GEV block maxima
Chapter 3 GPD-POT and GEV block maxima This chapter is devoted to the relation between POT models and Block Maxima (BM). We only consider the classical frameworks where POT excesses are assumed to be GPD,
More information4: SINGLE-PERIOD MARKET MODELS
4: SINGLE-PERIOD MARKET MODELS Marek Rutkowski School of Mathematics and Statistics University of Sydney Semester 2, 2016 M. Rutkowski (USydney) Slides 4: Single-Period Market Models 1 / 87 General Single-Period
More informationCHOICE THEORY, UTILITY FUNCTIONS AND RISK AVERSION
CHOICE THEORY, UTILITY FUNCTIONS AND RISK AVERSION Szabolcs Sebestyén szabolcs.sebestyen@iscte.pt Master in Finance INVESTMENTS Sebestyén (ISCTE-IUL) Choice Theory Investments 1 / 65 Outline 1 An Introduction
More informationSublinear Time Algorithms Oct 19, Lecture 1
0368.416701 Sublinear Time Algorithms Oct 19, 2009 Lecturer: Ronitt Rubinfeld Lecture 1 Scribe: Daniel Shahaf 1 Sublinear-time algorithms: motivation Twenty years ago, there was practically no investigation
More informationLECTURE 2: MULTIPERIOD MODELS AND TREES
LECTURE 2: MULTIPERIOD MODELS AND TREES 1. Introduction One-period models, which were the subject of Lecture 1, are of limited usefulness in the pricing and hedging of derivative securities. In real-world
More informationBernstein Bound is Tight
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 Wegman-Carter-Shoup (WCS) MAC M H κ N E K T Nonce based Authenticator Initial
More informationINSTITUTE AND FACULTY OF ACTUARIES. Curriculum 2019 SPECIMEN EXAMINATION
INSTITUTE AND FACULTY OF ACTUARIES Curriculum 2019 SPECIMEN EXAMINATION Subject CS1A Actuarial Statistics Time allowed: Three hours and fifteen minutes INSTRUCTIONS TO THE CANDIDATE 1. Enter all the candidate
More informationMTH6154 Financial Mathematics I Stochastic Interest Rates
MTH6154 Financial Mathematics I Stochastic Interest Rates Contents 4 Stochastic Interest Rates 45 4.1 Fixed Interest Rate Model............................ 45 4.2 Varying Interest Rate Model...........................
More informationINSTITUTE OF ACTUARIES OF INDIA EXAMINATIONS. 20 th May Subject CT3 Probability & Mathematical Statistics
INSTITUTE OF ACTUARIES OF INDIA EXAMINATIONS 20 th May 2013 Subject CT3 Probability & Mathematical Statistics Time allowed: Three Hours (10.00 13.00) Total Marks: 100 INSTRUCTIONS TO THE CANDIDATES 1.
More informationOn the Balasubramanian-Koblitz Results
On the Balasubramanian-Koblitz Results Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Institute of Mathematical Sciences, 22 nd February 2012 As Part
More informationFinal Exam Suggested Solutions
University of Washington Fall 003 Department of Economics Eric Zivot Economics 483 Final Exam Suggested Solutions This is a closed book and closed note exam. However, you are allowed one page of handwritten
More informationExtend the ideas of Kan and Zhou paper on Optimal Portfolio Construction under parameter uncertainty
Extend the ideas of Kan and Zhou paper on Optimal Portfolio Construction under parameter uncertainty George Photiou Lincoln College University of Oxford A dissertation submitted in partial fulfilment for
More informationDRAFT. 1 exercise in state (S, t), π(s, t) = 0 do not exercise in state (S, t) Review of the Risk Neutral Stock Dynamics
Chapter 12 American Put Option Recall that the American option has strike K and maturity T and gives the holder the right to exercise at any time in [0, T ]. The American option is not straightforward
More informationNoureddine Kouaissah, Sergio Ortobelli, Tomas Tichy University of Bergamo, Italy and VŠB-Technical University of Ostrava, Czech Republic
Noureddine Kouaissah, Sergio Ortobelli, Tomas Tichy University of Bergamo, Italy and VŠB-Technical University of Ostrava, Czech Republic CMS Bergamo, 05/2017 Agenda Motivations Stochastic dominance between
More informationStrategies for Improving the Efficiency of Monte-Carlo Methods
Strategies for Improving the Efficiency of Monte-Carlo Methods Paul J. Atzberger General comments or corrections should be sent to: paulatz@cims.nyu.edu Introduction The Monte-Carlo method is a useful
More informationCourse information FN3142 Quantitative finance
Course information 015 16 FN314 Quantitative finance This course is aimed at students interested in obtaining a thorough grounding in market finance and related empirical methods. Prerequisite If taken
More informationThe rth moment of a real-valued random variable X with density f(x) is. x r f(x) dx
1 Cumulants 1.1 Definition The rth moment of a real-valued random variable X with density f(x) is µ r = E(X r ) = x r f(x) dx for integer r = 0, 1,.... The value is assumed to be finite. Provided that
More informationModelling Returns: the CER and the CAPM
Modelling Returns: the CER and the CAPM Carlo Favero Favero () Modelling Returns: the CER and the CAPM 1 / 20 Econometric Modelling of Financial Returns Financial data are mostly observational data: they
More informationMartingale Pricing Theory in Discrete-Time and Discrete-Space Models
IEOR E4707: Foundations of Financial Engineering c 206 by Martin Haugh Martingale Pricing Theory in Discrete-Time and Discrete-Space Models These notes develop the theory of martingale pricing in a discrete-time,
More informationu (x) < 0. and if you believe in diminishing return of the wealth, then you would require
Chapter 8 Markowitz Portfolio Theory 8.7 Investor Utility Functions People are always asked the question: would more money make you happier? The answer is usually yes. The next question is how much more
More informationLog-linear Modeling Under Generalized Inverse Sampling Scheme
Log-linear Modeling Under Generalized Inverse Sampling Scheme Soumi Lahiri (1) and Sunil Dhar (2) (1) Department of Mathematical Sciences New Jersey Institute of Technology University Heights, Newark,
More informationProbability. An intro for calculus students P= Figure 1: A normal integral
Probability An intro for calculus students.8.6.4.2 P=.87 2 3 4 Figure : A normal integral Suppose we flip a coin 2 times; what is the probability that we get more than 2 heads? Suppose we roll a six-sided
More informationCharacterization of the Optimum
ECO 317 Economics of Uncertainty Fall Term 2009 Notes for lectures 5. Portfolio Allocation with One Riskless, One Risky Asset Characterization of the Optimum Consider a risk-averse, expected-utility-maximizing
More informationChapter 5. Continuous Random Variables and Probability Distributions. 5.1 Continuous Random Variables
Chapter 5 Continuous Random Variables and Probability Distributions 5.1 Continuous Random Variables 1 2CHAPTER 5. CONTINUOUS RANDOM VARIABLES AND PROBABILITY DISTRIBUTIONS Probability Distributions Probability
More informationConstruction and behavior of Multinomial Markov random field models
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2010 Construction and behavior of Multinomial Markov random field models Kim Mueller Iowa State University Follow
More informationDecision theoretic estimation of the ratio of variances in a bivariate normal distribution 1
Decision theoretic estimation of the ratio of variances in a bivariate normal distribution 1 George Iliopoulos Department of Mathematics University of Patras 26500 Rio, Patras, Greece Abstract In this
More informationFinancial Risk Forecasting Chapter 9 Extreme Value Theory
Financial Risk Forecasting Chapter 9 Extreme Value Theory Jon Danielsson 2017 London School of Economics To accompany Financial Risk Forecasting www.financialriskforecasting.com Published by Wiley 2011
More informationChapter 5. Statistical inference for Parametric Models
Chapter 5. Statistical inference for Parametric Models Outline Overview Parameter estimation Method of moments How good are method of moments estimates? Interval estimation Statistical Inference for Parametric
More informationMaximum Contiguous Subsequences
Chapter 8 Maximum Contiguous Subsequences In this chapter, we consider a well-know problem and apply the algorithm-design techniques that we have learned thus far to this problem. While applying these
More informationCryptography Assignment 4
Cryptography Assignment 4 Michael Orlov (orlovm@cs.bgu.ac.il) Yanik Gleyzer (yanik@cs.bgu.ac.il) May 19, 2003 Solution for Assignment 4. Abstract 1 Question 1 A simplified DES round is given by g( L, R,
More informationEstimation after Model Selection
Estimation after Model Selection Vanja M. Dukić Department of Health Studies University of Chicago E-Mail: vanja@uchicago.edu Edsel A. Peña* Department of Statistics University of South Carolina E-Mail:
More informationcontinuous rv Note for a legitimate pdf, we have f (x) 0 and f (x)dx = 1. For a continuous rv, P(X = c) = c f (x)dx = 0, hence
continuous rv Let X be a continuous rv. Then a probability distribution or probability density function (pdf) of X is a function f(x) such that for any two numbers a and b with a b, P(a X b) = b a f (x)dx.
More information[D7] PROBABILITY DISTRIBUTION OF OUTSTANDING LIABILITY FROM INDIVIDUAL PAYMENTS DATA Contributed by T S Wright
Faculty and Institute of Actuaries Claims Reserving Manual v.2 (09/1997) Section D7 [D7] PROBABILITY DISTRIBUTION OF OUTSTANDING LIABILITY FROM INDIVIDUAL PAYMENTS DATA Contributed by T S Wright 1. Introduction
More informationEssays on Some Combinatorial Optimization Problems with Interval Data
Essays on Some Combinatorial Optimization Problems with Interval Data a thesis submitted to the department of industrial engineering and the institute of engineering and sciences of bilkent university
More informationChapter 7: Estimation Sections
1 / 40 Chapter 7: Estimation Sections 7.1 Statistical Inference Bayesian Methods: Chapter 7 7.2 Prior and Posterior Distributions 7.3 Conjugate Prior Distributions 7.4 Bayes Estimators Frequentist Methods:
More informationDecision Trees An Early Classifier
An Early Classifier Jason Corso SUNY at Buffalo January 19, 2012 J. Corso (SUNY at Buffalo) Trees January 19, 2012 1 / 33 Introduction to Non-Metric Methods Introduction to Non-Metric Methods We cover
More informationUnit 5: Sampling Distributions of Statistics
Unit 5: Sampling Distributions of Statistics Statistics 571: Statistical Methods Ramón V. León 6/12/2004 Unit 5 - Stat 571 - Ramon V. Leon 1 Definitions and Key Concepts A sample statistic used to estimate
More informationSocially-Optimal Design of Crowdsourcing Platforms with Reputation Update Errors
Socially-Optimal Design of Crowdsourcing Platforms with Reputation Update Errors 1 Yuanzhang Xiao, Yu Zhang, and Mihaela van der Schaar Abstract Crowdsourcing systems (e.g. Yahoo! Answers and Amazon Mechanical
More informationUnit 5: Sampling Distributions of Statistics
Unit 5: Sampling Distributions of Statistics Statistics 571: Statistical Methods Ramón V. León 6/12/2004 Unit 5 - Stat 571 - Ramon V. Leon 1 Definitions and Key Concepts A sample statistic used to estimate
More information3 Arbitrage pricing theory in discrete time.
3 Arbitrage pricing theory in discrete time. Orientation. In the examples studied in Chapter 1, we worked with a single period model and Gaussian returns; in this Chapter, we shall drop these assumptions
More informationIntroduction to the Maximum Likelihood Estimation Technique. September 24, 2015
Introduction to the Maximum Likelihood Estimation Technique September 24, 2015 So far our Dependent Variable is Continuous That is, our outcome variable Y is assumed to follow a normal distribution having
More informationarxiv: v1 [math.st] 18 Sep 2018
Gram Charlier and Edgeworth expansion for sample variance arxiv:809.06668v [math.st] 8 Sep 08 Eric Benhamou,* A.I. SQUARE CONNECT, 35 Boulevard d Inkermann 900 Neuilly sur Seine, France and LAMSADE, Universit
More informationChapter 7: Estimation Sections
1 / 31 : Estimation Sections 7.1 Statistical Inference Bayesian Methods: 7.2 Prior and Posterior Distributions 7.3 Conjugate Prior Distributions 7.4 Bayes Estimators Frequentist Methods: 7.5 Maximum Likelihood
More informationCS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 6: Prior-Free Single-Parameter Mechanism Design (Continued)
CS599: Algorithm Design in Strategic Settings Fall 2012 Lecture 6: Prior-Free Single-Parameter Mechanism Design (Continued) Instructor: Shaddin Dughmi Administrivia Homework 1 due today. Homework 2 out
More informationStatistical Methodology. A note on a two-sample T test with one variance unknown
Statistical Methodology 8 (0) 58 534 Contents lists available at SciVerse ScienceDirect Statistical Methodology journal homepage: www.elsevier.com/locate/stamet A note on a two-sample T test with one variance
More informationVersion A. Problem 1. Let X be the continuous random variable defined by the following pdf: 1 x/2 when 0 x 2, f(x) = 0 otherwise.
Math 224 Q Exam 3A Fall 217 Tues Dec 12 Version A Problem 1. Let X be the continuous random variable defined by the following pdf: { 1 x/2 when x 2, f(x) otherwise. (a) Compute the mean µ E[X]. E[X] x
More informationSOLVENCY AND CAPITAL ALLOCATION
SOLVENCY AND CAPITAL ALLOCATION HARRY PANJER University of Waterloo JIA JING Tianjin University of Economics and Finance Abstract This paper discusses a new criterion for allocation of required capital.
More informationThe Optimization Process: An example of portfolio optimization
ISyE 6669: Deterministic Optimization The Optimization Process: An example of portfolio optimization Shabbir Ahmed Fall 2002 1 Introduction Optimization can be roughly defined as a quantitative approach
More informationPhD Qualifier Examination
PhD Qualifier Examination Department of Agricultural Economics May 29, 2015 Instructions This exam consists of six questions. You must answer all questions. If you need an assumption to complete a question,
More informationThe Multinomial Logit Model Revisited: A Semiparametric Approach in Discrete Choice Analysis
The Multinomial Logit Model Revisited: A Semiparametric Approach in Discrete Choice Analysis Dr. Baibing Li, Loughborough University Wednesday, 02 February 2011-16:00 Location: Room 610, Skempton (Civil
More informationIEOR E4602: Quantitative Risk Management
IEOR E4602: Quantitative Risk Management Basic Concepts and Techniques of Risk Management Martin Haugh Department of Industrial Engineering and Operations Research Columbia University Email: martin.b.haugh@gmail.com
More informationTwo-Dimensional Bayesian Persuasion
Two-Dimensional Bayesian Persuasion Davit Khantadze September 30, 017 Abstract We are interested in optimal signals for the sender when the decision maker (receiver) has to make two separate decisions.
More informationLecture outline. Monte Carlo Methods for Uncertainty Quantification. Importance Sampling. Importance Sampling
Lecture outline Monte Carlo Methods for Uncertainty Quantification Mike Giles Mathematical Institute, University of Oxford KU Leuven Summer School on Uncertainty Quantification Lecture 2: Variance reduction
More informationμ: ESTIMATES, CONFIDENCE INTERVALS, AND TESTS Business Statistics
μ: ESTIMATES, CONFIDENCE INTERVALS, AND TESTS Business Statistics CONTENTS Estimating parameters The sampling distribution Confidence intervals for μ Hypothesis tests for μ The t-distribution Comparison
More informationLecture 2: The Simple Story of 2-SAT
0510-7410: Topics in Algorithms - Random Satisfiability March 04, 2014 Lecture 2: The Simple Story of 2-SAT Lecturer: Benny Applebaum Scribe(s): Mor Baruch 1 Lecture Outline In this talk we will show that
More informationSupplementary Material for Combinatorial Partial Monitoring Game with Linear Feedback and Its Application. A. Full proof for Theorems 4.1 and 4.
Supplementary Material for Combinatorial Partial Monitoring Game with Linear Feedback and Its Application. A. Full proof for Theorems 4.1 and 4. If the reader will recall, we have the following problem-specific
More informationThe Two Sample T-test with One Variance Unknown
The Two Sample T-test with One Variance Unknown Arnab Maity Department of Statistics, Texas A&M University, College Station TX 77843-343, U.S.A. amaity@stat.tamu.edu Michael Sherman Department of Statistics,
More informationInferences on Correlation Coefficients of Bivariate Log-normal Distributions
Inferences on Correlation Coefficients of Bivariate Log-normal Distributions Guoyi Zhang 1 and Zhongxue Chen 2 Abstract This article considers inference on correlation coefficients of bivariate log-normal
More informationIntroduction Recently the importance of modelling dependent insurance and reinsurance risks has attracted the attention of actuarial practitioners and
Asymptotic dependence of reinsurance aggregate claim amounts Mata, Ana J. KPMG One Canada Square London E4 5AG Tel: +44-207-694 2933 e-mail: ana.mata@kpmg.co.uk January 26, 200 Abstract In this paper we
More informationPh.D. Preliminary Examination MICROECONOMIC THEORY Applied Economics Graduate Program June 2017
Ph.D. Preliminary Examination MICROECONOMIC THEORY Applied Economics Graduate Program June 2017 The time limit for this exam is four hours. The exam has four sections. Each section includes two questions.
More informationLog-Robust Portfolio Management
Log-Robust Portfolio Management Dr. Aurélie Thiele Lehigh University Joint work with Elcin Cetinkaya and Ban Kawas Research partially supported by the National Science Foundation Grant CMMI-0757983 Dr.
More informationELEMENTS OF MONTE CARLO SIMULATION
APPENDIX B ELEMENTS OF MONTE CARLO SIMULATION B. GENERAL CONCEPT The basic idea of Monte Carlo simulation is to create a series of experimental samples using a random number sequence. According to the
More informationA relation on 132-avoiding permutation patterns
Discrete Mathematics and Theoretical Computer Science DMTCS vol. VOL, 205, 285 302 A relation on 32-avoiding permutation patterns Natalie Aisbett School of Mathematics and Statistics, University of Sydney,
More information2 Control variates. λe λti λe e λt i where R(t) = t Y 1 Y N(t) is the time from the last event to t. L t = e λr(t) e e λt(t) Exercises
96 ChapterVI. Variance Reduction Methods stochastic volatility ISExSoren5.9 Example.5 (compound poisson processes) Let X(t) = Y + + Y N(t) where {N(t)},Y, Y,... are independent, {N(t)} is Poisson(λ) with
More informationChapter 2 Uncertainty Analysis and Sampling Techniques
Chapter 2 Uncertainty Analysis and Sampling Techniques The probabilistic or stochastic modeling (Fig. 2.) iterative loop in the stochastic optimization procedure (Fig..4 in Chap. ) involves:. Specifying
More informationRevenue Management Under the Markov Chain Choice Model
Revenue Management Under the Markov Chain Choice Model Jacob B. Feldman School of Operations Research and Information Engineering, Cornell University, Ithaca, New York 14853, USA jbf232@cornell.edu Huseyin
More informationTwo-Sample Z-Tests Assuming Equal Variance
Chapter 426 Two-Sample Z-Tests Assuming Equal Variance Introduction This procedure provides sample size and power calculations for one- or two-sided two-sample z-tests when the variances of the two groups
More informationChapter 8: Sampling distributions of estimators Sections
Chapter 8 continued Chapter 8: Sampling distributions of estimators Sections 8.1 Sampling distribution of a statistic 8.2 The Chi-square distributions 8.3 Joint Distribution of the sample mean and sample
More information8.1 Estimation of the Mean and Proportion
8.1 Estimation of the Mean and Proportion Statistical inference enables us to make judgments about a population on the basis of sample information. The mean, standard deviation, and proportions of a population
More informationLogit Models for Binary Data
Chapter 3 Logit Models for Binary Data We now turn our attention to regression models for dichotomous data, including logistic regression and probit analysis These models are appropriate when the response
More informationA Macro-Finance Model of the Term Structure: the Case for a Quadratic Yield Model
Title page Outline A Macro-Finance Model of the Term Structure: the Case for a 21, June Czech National Bank Structure of the presentation Title page Outline Structure of the presentation: Model Formulation
More informationRegret Minimization and Correlated Equilibria
Algorithmic Game heory Summer 2017, Week 4 EH Zürich Overview Regret Minimization and Correlated Equilibria Paolo Penna We have seen different type of equilibria and also considered the corresponding price
More informationChapter 5. Sampling Distributions
Lecture notes, Lang Wu, UBC 1 Chapter 5. Sampling Distributions 5.1. Introduction In statistical inference, we attempt to estimate an unknown population characteristic, such as the population mean, µ,
More informationLevel by Level Inequivalence, Strong Compactness, and GCH
Level by Level Inequivalence, Strong Compactness, and GCH Arthur W. Apter Department of Mathematics Baruch College of CUNY New York, New York 10010 USA and The CUNY Graduate Center, Mathematics 365 Fifth
More informationQuantitative Introduction ro Risk and Uncertainty in Business Module 5: Hypothesis Testing Examples
Quantitative Introduction ro Risk and Uncertainty in Business Module 5: Hypothesis Testing Examples M. Vidyasagar Cecil & Ida Green Chair The University of Texas at Dallas Email: M.Vidyasagar@utdallas.edu
More informationLecture 11: Bandits with Knapsacks
CMSC 858G: Bandits, Experts and Games 11/14/16 Lecture 11: Bandits with Knapsacks Instructor: Alex Slivkins Scribed by: Mahsa Derakhshan 1 Motivating Example: Dynamic Pricing The basic version of the dynamic
More informationNEWCASTLE UNIVERSITY SCHOOL OF MATHEMATICS, STATISTICS & PHYSICS SEMESTER 1 SPECIMEN 2 MAS3904. Stochastic Financial Modelling. Time allowed: 2 hours
NEWCASTLE UNIVERSITY SCHOOL OF MATHEMATICS, STATISTICS & PHYSICS SEMESTER 1 SPECIMEN 2 Stochastic Financial Modelling Time allowed: 2 hours Candidates should attempt all questions. Marks for each question
More informationTutorial 6. Sampling Distribution. ENGG2450A Tutors. 27 February The Chinese University of Hong Kong 1/6
Tutorial 6 Sampling Distribution ENGG2450A Tutors The Chinese University of Hong Kong 27 February 2017 1/6 Random Sample and Sampling Distribution 2/6 Random sample Consider a random variable X with distribution
More informationEquity, Vacancy, and Time to Sale in Real Estate.
Title: Author: Address: E-Mail: Equity, Vacancy, and Time to Sale in Real Estate. Thomas W. Zuehlke Department of Economics Florida State University Tallahassee, Florida 32306 U.S.A. tzuehlke@mailer.fsu.edu
More informationA class of coherent risk measures based on one-sided moments
A class of coherent risk measures based on one-sided moments T. Fischer Darmstadt University of Technology November 11, 2003 Abstract This brief paper explains how to obtain upper boundaries of shortfall
More informationOn a Manufacturing Capacity Problem in High-Tech Industry
Applied Mathematical Sciences, Vol. 11, 217, no. 2, 975-983 HIKARI Ltd, www.m-hikari.com https://doi.org/1.12988/ams.217.7275 On a Manufacturing Capacity Problem in High-Tech Industry Luca Grosset and
More informationOn the Optimality of a Family of Binary Trees Techical Report TR
On the Optimality of a Family of Binary Trees Techical Report TR-011101-1 Dana Vrajitoru and William Knight Indiana University South Bend Department of Computer and Information Sciences Abstract In this
More informationEfficiency and Herd Behavior in a Signalling Market. Jeffrey Gao
Efficiency and Herd Behavior in a Signalling Market Jeffrey Gao ABSTRACT This paper extends a model of herd behavior developed by Bikhchandani and Sharma (000) to establish conditions for varying levels
More informationRichardson Extrapolation Techniques for the Pricing of American-style Options
Richardson Extrapolation Techniques for the Pricing of American-style Options June 1, 2005 Abstract Richardson Extrapolation Techniques for the Pricing of American-style Options In this paper we re-examine
More informationModelling Environmental Extremes
19th TIES Conference, Kelowna, British Columbia 8th June 2008 Topics for the day 1. Classical models and threshold models 2. Dependence and non stationarity 3. R session: weather extremes 4. Multivariate
More informationOn Sensitivity Value of Pair-Matched Observational Studies
On Sensitivity Value of Pair-Matched Observational Studies Qingyuan Zhao Department of Statistics, University of Pennsylvania August 2nd, JSM 2017 Manuscript and slides are available at http://www-stat.wharton.upenn.edu/~qyzhao/.
More informationInformation aggregation for timing decision making.
MPRA Munich Personal RePEc Archive Information aggregation for timing decision making. Esteban Colla De-Robertis Universidad Panamericana - Campus México, Escuela de Ciencias Económicas y Empresariales
More informationSubject CS1 Actuarial Statistics 1 Core Principles. Syllabus. for the 2019 exams. 1 June 2018
` Subject CS1 Actuarial Statistics 1 Core Principles Syllabus for the 2019 exams 1 June 2018 Copyright in this Core Reading is the property of the Institute and Faculty of Actuaries who are the sole distributors.
More information